decipher the passwords of your user account with John the Ripper
I wanted to try out the password cracker "John the Ripper" (1).
- I had to set up the config file first correctly (the fast step for a newbie without reading too much is to grab the one from github (see below) and comment out 3 sections) (2)
- the result was stunning: John was so fast to crack this! This should be shown to users who set easy passwords!
I. get the password files (as root, or (3)):
umask 077
unshadow /etc/passwd /etc/shadow > mypasswd
II. I had to create the config file first:
fopen: /usr/share/john/john.conf: No such file or directory
III. then I tried:
john mypasswd
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 32/32])
No "single crack" mode rules found in /usr/share/john/john.conf
IV.
then I read into the options of the config file, and added:
[Options]
Wordlist = /home/tux/Downloads/all
#from: https://download.openwall.net/pub/wordlists/all.gz
but still no success. Still same message!
V. So I googled for an existing config file
and tried this one:
#https://github.com/piyushcse29/john-the-ripper/blob/master/run/john.conf
VI.
I had to remove 3 sections where it complained later at running:
#Error in /usr/share/john/john.conf at line 432
and then it worked :-)
and boy was that fast (the test password was: 1234567)!
john mypasswd
john --show mypasswd
root:**1234567**:0:0:Root Administrator:/root:/bin/sh
tux:NO PASSWORD:1000:100:SliTaz User:/home/tux:/bin/sh
2 password hashes cracked, 0 left
(1) After cooking a @SliTaz package you also have to test it.
So, here is how the test went,
and I can use this for my future package builds to use.
(2) Later I saw that github repo is from 2013,
so better find another repo first.
But that is what DuckDuckGo gave me on the 1st page
(3) or your local state agency utilizes flaws in specific software packages of your OS ;-)
Your opinion is celebrated and welcomed, not banned or censored!